Taking data protection seriously
Local businesses must pay urgent attention to key lessons learnt from increasingly sophisticated breaches.
In the past year, the world has witnessed increasingly bold and sophisticated attacks on corporate and personal data around the world. The fact that there has been no common modus operandi in these attacks should be cause for concern among businesses everywhere, since this means attacks are unpredictable and harder to mitigate.
Significant IT companies have been breached, and even security-savvy victims tricked into parting with passwords. Clearly, the standard security protocols are no longer enough and data security must be built into the very fabric of the business.
Five key lessons South African businesses need to take from data breach patterns of the past year are:
1. Security is a C-suite problem
IT professionals are well aware of the risks, but in many cases, the rest of the C-suite sees security as a grudge purchase. This is understandable, because the reality is most C-level executives are focused on maximising their dwindling budgets to address business-critical initiatives, and protection against data breaches often takes a back seat.
But, protection of personal information is becoming legislated, and it is only a matter of time before C-suite members are held personally accountable for breaches. Business owns the data and is ultimately responsible for any breaches that occur, regardless of the measures IT might put in place. The business itself stands to fail if a significant breach occurs.
Business, therefore, needs the visibility into where the vulnerabilities lie for data breaches within a company, and actively participate in assisting IT to ensure policies are implemented and adapted to address the ever-changing security threats. The C-suite cannot afford to sit back and 'see what happens' - it must immediately determine the risk and weigh it up against the investment, time and effort it wants to spend on mitigating that risk.
2. Cloud caution is warranted
For years, South African businesses were cautious about the security and sovereignty of their data in the cloud. A lack of clearly defined policies (or any policies, for that matter) often dissuades companies from moving to the cloud.
Now, many have moved to cloud, but typically through a hybrid or private model, with data security top of mind. This approach means companies cannot fully optimise the scalability and other benefits of the public cloud, but it also means their own data security policies can be applied to protecting their data at all times.
3. Data classification and DLP strategies are crucial
Classification of sensitive data is an extremely important step in implementing a data loss prevention strategy. This classification becomes the point of departure for understanding where sensitive data lies, how much of it is susceptible to breach, and how the company is tracking it in terms of protecting its sensitive data assets. Companies may well have their data centres locked down, but if sensitive data also resides in e-mail, test and development environments or unprotected workflow systems, it remains at risk.
It must immediately determine the risk and weigh it up against the investment, time and effort it wants to spend on mitigating that risk.
Advanced solutions must be harnessed to manage the data classification process and give C-level users a holistic view into where they stand in terms of protection of data.
4. Security doesn't end at encryption
While encryption is an important step in securing data, it is not a fool-proof solution for all threats. Encryption is a great mechanism to prevent data access in the case of the theft of physical hardware, but it is just as important to protect data assets from unauthorised access within the organisation.
Some of the biggest data breaches in the past have been due to employees having full access to all systems and leaking sensitive information without the physical theft of hardware. Data masking is an important consideration to prevent this type of unauthorised access.
An example is production systems that are replicated to multiple test environments. Often, the data on production has some level of protection, but as soon as it is "cloned" to the test system, this protection is dropped and unauthorised users are able to access all sensitive information.
5. Ongoing education remains key
Enforcement of security policies doesn't only mean applying technology to monitor/track employees' usage of a company's data assets, but also implies an inherent culture shift in the processes of the business. This is often the biggest stumbling block that needs to be overcome, and ongoing staff education is needed to help staff understand the importance of data security, identify the various risks and possible attack modes, and their roles in securing sensitive data. It is not enough to post notices and have policies in place - ongoing awareness programmes must teach staff about phishing, scamming and the mechanisms hackers use to gain access.
In SA, financial services appears to be the leader in terms of data security best practice, mainly due to legislation, international guidelines and the sensitivity of the data the sector works with. However, many other sectors hold highly sensitive data too. All businesses need to learn from international breach trends and move to assess their data security risk and improve their security strategies.